IGTF Guidelines for Secure Operation of Attribute Authorities and issuers of statements for entities

These guidelines describe the minimum requirements and recommendations for the secure operation of attribute authorities and similar services that make statements about an entity based on well-defined attributes. Adherence to these guidelines may help to establish trust between communities, operators of attribute authorities and issuers, and Relying Parties, infrastructures, and service providers. This document does not define an accreditation process.

• Guidelines for Secure Operation of Attribute Authorities and issuers of statements for entities (2022) (AARC-G071)
  Status: Endorsed by IGTF, endorsed by AEGIS (April 11, 2022)
  Formats available: OfficeXML docx, Adobe PDF
  DOI: 10.5281/zenodo.5927799.
  
  Guideline AARC-G071 (previously also known as G048 revision 2) evolved and clarifies the scope of the guidance for Attribute Authority operators. Specifically, we realise that the AAOPS guidelines are applicable not only ot the membership management services, but are equally relevant for the other proxy components. In the revision process, we look at generalising the guidance so that attribute-specific elements are removed and more flexibility is added to cater do the various proxy delivery models (as-a-service, bespoke, multi-tenant, and on-prem).
  
  Review process information: AARC Wiki.
  
  

Historic versions

• AA Operations Security Guideline (AARC-G048)
  Status: Superseded by AARC-G071, AAOPS v2 (AARC-G048)
  Formats available: Adobe PDF;

  This guideline describes the minimum requirements and recommendations for the operation of Attribute Authority Services and other issuers of authorisation information.

  Supporting documention:

  • Assessment sheet (PDF)
  • Assessment sheet (ODS)

  Revisions activities:

  • AARC-G048 document page
  Other versions:
  
  • Wiki version (2012, basis for version 1)
  • Version 1.0: Adobe PDF; Microsoft Word.
  • Version 1.1: Microsoft Word